Client/Server Access Control

A server application provides services to clients. For example, a server could perform the following services on behalf of a client:

  • Save and retrieve information from a private database
  • Access network resources
  • Start processes in the client's security context on the server's computer

A protected server controls access to its services. Windows provides security support that enables a server to do the following:

  • Impersonate a client's security context, which causes the system to perform most access and privilege checks against the client's access token rather than the server's
  • Log a client on to the server's computer
  • Connect to network resources using the client's security context
  • Create security descriptors to protect private objects
  • Determine whether a security descriptor allows access to a client
  • Determine whether a set of privileges are enabled in a client's token
  • Generate audit messages in the security event log to record attempts by a client to access objects or use privileges